File000095

Computer Hacking Forensic Investigator v4 Exam 312-49 Investigating Corporate Espionage

Module XLI Page | 3599 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Computer Hacking Forensic Investigator (CHFI)

Module XLI: Investigating Corporate Espionage

Exam 312-49



News: Changing the Face of OPSEC

Operations Security, or OPSEC, was used as a military tool earlier to secure Military functions. It is the process to deny an adversary (a competitor in the corporate world, or an individual doing bad activities according to public) access to the information that is attempted by unauthorized entities to achieve their desired goals against the person or organization. Every piece of information is significant to the organization for its business and should always be protected to avoid any kind of trouble.

Many organizations are realizing the need of OPSEC and their role in the organization’s security operation. OPSEC has proven to be a low-cost addition in the existing security programs of the organizations to secure them from the occurrence of corporate espionage. All Federal service providers are required to integrate OPSEC into their business proposals, but many organizations are doing so voluntarily in other interactions. Some of the examples include Raytheon, Consolidated Networks Corporation and H&R Block.



Case Study: The New Spies

Source: http://www.newstatesman.com/

Private espionage industry is on a high demand and the environmental protest groups are their main targets. A camp for Climate Action focuses on getting inside Kingnorth power station to prevent the construction of new coal facility. To do this, look for the fellow protesters who are hired by private companies.

According to the private espionage industry, about one in four of the comrades is on multinational’s payroll.

Russel Corn, the managing director of Diligence, says that private spies cover up to 25 per cent of every activist camp. In the month of April, the anti-aviation campaign network Plane Stupid, is one of the important organizers of eco-camp built to protest against the expansion of Heathrow Airport. He also said that one of their activists, Ken Tobaias, was working for a corporate espionage firm called C2i. He was hired to divert and disturb the group’s campaigning.

At that time, Tobias first came for a Plane Stupid’s meetings in July 2007. He looked as a committed former Oxford student striving to reduce aircraft emissions. The group however got suspicious as he showed early at meeting, constantly pushed for increasingly drama tic direct action and - the ultimate giveaway - dressed a little too well for an ecowarrior. When the team enquired about him in around the Oxford, they found an old college pal of him who identified him as Toby Kendall. A Google search revealed his Bebo page that has a link to corporate networking site, in which his job is an analyst at C2i internationals.

Cara Schaffer contacted students and farm worker alliance, American college students who lobby fast-food companies to help migrant workers in Florida who harvest tomatoes. These workers are smuggled into US by the gangs who take their passports and force them to do work. The eagerness of Schaffer’s raised suspicion, and by Internet her actual identity is revealed. She owned a Diplomatic tactical service which is a private espionage.

From New York and London to Moscow and Beijing, any decent-sized corporation can now hire former agents from the CIA, FBI, MI5, MI6, and the KGB. "MI5 and MI6 in particular have always guided ex-employees into security companies," explains Annie Machon, the former MI5 agent.

Blackwater's vice-chairman, J Cofer Black, who runs TIS, said that it operates a 24/7 intelligence fusion and warning centre. It monitors civil unrest, terrorism, economic stability, environmental and health concerns, and information technology security around the world.



Like the state security services that ended up running class war in 1990s after a successful penetration, these spies work as believable members for a nay protest movements. In the year 2007, the Campaign against Arms Trade called in the police after the court documents revealed that weapons manufacturer BAE systems paid a private agency to spy on the peace group.



News: Confessions of a Corporate Spy

Source: http://www.computerworld.com/

A former National Security Agency analyst who is an expert in corporate espionage gave details of incidences where he easily found his way into many U.S. companies. He touted that in a case within just a few hours he made product plans and specifications that are worth of billions of dollars.

Ira Winkler, global security strategist at CSC Consulting, spoke at Computerworld's Premier 100 IT Leaders Conference and punctured several popular misunderstandings about information security. At a large company, he influenced a guard to admit him by saying he had lost his badge and presented a business card as a substitute. He exploited many security weaknesses, from doors unlocked, using forged signatures, etc. He found that most of the information is present on the Internet. For example, at one company, he found which people to target by reading the company newsletter on the firm’s website. Lawyers are also a target, and called them as the worst for computer security.

Winkler says that some companies secured their information equally, but instead they should devise a system by protecting them according to their priority. He offered a formula that risk is equal to the product of threat, vulnerability, and value divided by countermeasures.



Module Objective

Information can make or mar the success story of an organization in today’s business world. There has been a buzz for a while about competitors stealing trade secrets and other information to enhance their competitive edge. Companies all over the world are losing billions of dollars due to trade secret thefts. Losses due to corporate espionage are far more devastating than other technical and non-technical losses. The Module “Investigating Corporate Espionage” will discuss various aspects of corporate espionage and strategies to prevent and investigate such cases. This module will familiarize you with:

Corporate Espionage

Motives behind Spying

Information that Corporate Spies Seek

Causes of Corporate Espionage

Spying Techniques

Defense from Corporate Spying

Tools



Module Flow



Introduction to Corporate Espionage

According to www.scip.org, “Espionage is the use of illegal means to gather information.” Information gathered through espionage is generally confidential information that the source does not want to divulge or make public. The term “Corporate espionage” is used to describe espionage for commercial purposes. Corporate espionage targets a public or private organization to determine their activities and obtain market-sensitive information such as client lists, supplier agreements, personnel records, research documents, and prototype plans for a new product or service. This information, if leaked to competitors, can adversely affect the business and market competitiveness of the organizations.

It is widely believed that corporate espionage is a high-tech crime committed by highly skilled persons. On the contrary, corporate penetration is accomplished with simple and preventable methods. Corporate spies do not depend on computer networks alone for information; they look for the easiest ways to gather information. Even trash bins and scrap bits of papers can be of a great help in collecting sensitive information. Spies look for areas that are generally ignored. For example, they take advantage of people’s negligence, such as forgetting to close doors or leaving scrap, or waste paper around which contains sensitive information.

Market research and surveys show the severity of corporate espionage. According to the FBI and other similar market research organizations, U.S. companies lose anywhere from $24 billion to $100 billion annually due to industrial espionage and trade secret thefts, whereas technical vulnerabilities are responsible for just 20% or less of all losses.



Motives Behind Spying

Motives behind spying include:

Financial Gain:

The main purpose of corporate espionage is financial gain. A company’s trade secrets can be sold for millions of dollars. Competitors can use the stolen information to leverage their market position and obtain great financial benefits.

Disgruntled Employee/Professional Hostilities:

Professional hostilities are also a result of market competition. Competitors often resort to negative publicity of an organization’s issues which otherwise may have been kept secret and sorted out in time. There have been many instances when a rival company has disclosed secret information collected through corporate espionage of an organization resulting in plummeting stocks and drastic decreases in market capitalization.

Challenge and Curiosity/Just for Fun:

People sometimes indulge in corporate espionage just for fun and to test their skills. Students of security programs and researchers often try to reenact corporate espionage. Though not disastrous, it compromises corporate information’s security. These people themselves can also be turned into a target for corporate espionage.

Personal Relations:

Many times, a corporate spy is motivated by personal or non-ideological hostility towards the country or organization. Personal hostilities of disgruntled employees and job seekers towards an organization play a major role in almost all corporate espionage cases. The offenders reveal important, sensitive information to others out of spite.



Information that Corporate Spies Seek

Information that corporate spies seek includes:

Marketing and new product plans

Source codes of software applications. It can be used to develop a similar application by a competitor or for designing a software attack to bring down the original application, thus causing financial losses to the developer

Corporate strategies

Target markets and prospect information

Business methods

Product designs, research, and costs. Huge investments will be in vain if the product design and related research is stolen, because the competitor can also develop the same product and offer it for less

Alliance and contract arrangements: delivery, pricing, and terms

Customer and supplier information

Staffing, operations, and wage/salary

Credit records or credit union account information

All of the above information is considered crucial for the success of an organization. Leaks in this information could have catastrophic effects on organizations.



Corporate Espionage: Insider/Outsider Threat

Corporate espionage threats can be classified into two basic categories:

Insiders:

Insiders such as IT personnel, contractors, and other disgruntled employees who can be lured by monetary benefits are the main targets of corporate spies. An insider threat is always considered more potent than the outer threats because insiders have legitimate access to the facilities, information, computers, and networks. According to the available study reports, almost 85% of espionage cases originate from within the organization. Insiders can easily misuse their privileges to leak out sensitive information or can collaborate with an outsider in espionage. There are several factors that may prompt an insider to sell information to a competitor or spy, such as:

o Lack of loyalty

o Job dissatisfaction

o Boredom

o Mischief

o Money

Outsiders:

Outsiders include corporate spies, attackers, and attackers, who have been hired by a competing organization or motivated by personal gain. These people try to intrude into the organization’s affairs for the purpose of stealing sensitive information. An outsider can enter a company through Internet connection lines, physical break-ins, or partner (vendor, customer, or reseller) networks of the organization.



Threat of Corporate Espionage due to Aggregation of Information

Espionage is a form of threat to the organization where aggregation of information creates several issues regarding espionage to the organization. If organizations aggregate and save information at one particular location, personnel can access critical information easily. Aggregation of information can lead to either an insider or outsider attack. In an insider attack, insiders or the personnel with access privileges (to access, i.e., to read/write) can tamper, edit, overwrite, or send critical information to the competitors.

The other form of attack in espionage is an outsider attack. Here, the outsider who breaks into the private/isolated network of the organization can search, aggregate, and relate all the information, thus leading to espionage.





Techniques of Spying

Spying techniques include:

Hacking Computers and Networks

This is an illegal technique of obtaining trade secrets and information.

Social Engineering

According to www.microsoft.com, social engineering is defined as a “non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures.”

Social engineering is the use of influence and the art of manipulation of individuals for gaining credentials. Individuals at any level of business or communicative interaction can make use of this method. All the security measures that organizations adopt are in vain when employees get “socially engineered” by strangers. Some examples of social engineering include unwittingly answering the questions of strangers, replying to spam email, and bragging to co-workers.

Dumpster Diving

According to search security, “Dumpster diving is looking for treasure in someone else's trash (A dumpster is a large trash container). In the world of information technology, dumpster diving is a technique used to retrieve information that could be used to carry out an attack on a computer network.”

Dumpster Diving is searching for sensitive information in target companies’:

o Trash bins

o Printer trash bins

o User desk for sticky notes

Whacking

Whacking is wireless hacking that is used to capture information passing through a wireless network.

Phone Eavesdropping

Phone eavesdropping is eavesdropping using telephones. "Electronic eavesdropping is the use of an electronic transmitting or recording device to monitor conversations without the consent of the parties."

Network Leakage

Most organizations set up their networks to block or limit inbound and outbound connections. Even organizations that are starting to filter outbound traffic still allow certain traffic out. Two types of traffic that are always allowed out of an organization are web and email traffic.

Cryptography

Cryptography is a technique to garble a message in such a way that the meaning of the message will be changed. With cryptography, you start off with a plaintext message, which is a message in its original form. You then use an encryption algorithm to garble a message, which creates ciphertext. You would then use a decryption algorithm to take the ciphertext and convert it back to a plaintext message. During the encryption and decryption process, what protects the ciphertext and stops someone from inadvertently decrypting it back to the plaintext message is the key. Therefore, the secrecy of the ciphertext is based on the secrecy of the key and not the secrecy of the algorithm. Thus, to use an encryption program, you have to generate a key. The key usually is tied to a user name and email address.



No validation is performed, so you can put in bogus information that could be used later to launch a man-in-the-middle attack where you can trick someone into using a false key. If you know the public key for a user, you can encrypt a message; but only if you know the private key can you can decrypt a message. The public key can be distributed via a trusted channel, but your private key should never be given out. If someone can get access to your private key, then they can decrypt and read all your messages.

Steganography

Steganography is data hiding, and is meant to conceal the true meaning of a message. With steganography, you have no idea that someone is even sending a sensitive message because he/she will be sending an overt message that completely conceals the original covert message. Therefore, cryptography is often referred to as secret communication and steganography is referred to as covert communication, but insiders use steganography techniques to pass out credentials to other organizations.





Defense Against Corporate Spying

You can secure the confidential data of a company from spies using the following techniques:

Controlled Access:

o Encrypt the most critical data

o Never store sensitive information of the business on a networked computer

o Classify the sensitivity of the data and thus categorize personnel access rights to read/writethe information

o Personnel must be assigned the duties where their need-to-know controls should be defined

o Ensure authorization and authentication to critical data

o Store confidential data on a stand-alone computer with no connection to other computers and the telephone line

o Install anti-virus and password protect the secured system

o Regularly change the password of the confidential files

Background investigation of the personnel:

o Verify the backgrounds of new employees

o Physical security checks should not be ignored

o Monitor the employees’ behavior

o Monitor systems used by employees

o Disable remote access

o Make sure that unnecessary account privileges are not allotted to normal users

o Disable USB drives in the employee’s network

o Enforce a security policy which addresses all concerns of employees

Basic security measures to protect against corporate spying:

Destroy all paper documents before trashing them. Secure all dumpsters and post ‘NO TRESPASSING’ signs

Conduct security awareness training programs for all employees regularly



Place locks on computer cases to prevent hardware tampering

Lock wire closets, server rooms, phone closets, and other sensitive equipment

Never leave a voice-mail message or email broadcast message that gives an exact business itinerary

Install electronic surveillance systems to detect the physical intrusions



Steps to Prevent Corporate Espionage

The following are the steps that help in preventing corporate espionage:

Understand and prioritize critical assets

Determine the criteria that are used to estimate value. Monetary worth, future benefit to the company, and competitive advantage are sample criteria that could be used. Whatever the criteria are, they need to be determined first.

After all your assets are scored, you need to prioritize them based on the criteria. When you are done, you should have a list of all the critical assets across your organization. These assets represent the crown jewels of your organization and need to be properly protected. Once the list of assets has been determined, the critical assets need to be protected. Understanding the likely attack points and how an attacker would compromise the asset is the “Know Thy Enemy” portion of the equation.

Define the acceptable level of loss

The possibility for loss is all around, and risk management becomes a driving factor in determining what efforts should be focused on by an organization and what can be ignored. As



difficult as it may seem for all critical assets, an adequate level of risk needs to be defined. This helps an organization to focus on what should or should not be done with regards to insider threat. A cost-benefit analysis is a typical method of determining the acceptable level of risk. The general premise behind a cost-benefit analysis is determining what the cost is if the asset is lost in part or in whole, versus what the cost is to prevent that loss. While this is hard for some people to swallow, there are actually many situations where it is more cost effective to do nothing about the risk than to try to prevent or reduce the risk from occurring.

Typically, there are two methods to deal with potential loss: prevention and detection. Preventive measures are more expensive than detective measures. With a preventive measure, you stop the risk from occurring. With detective measures, you allow the loss to occur but detect it in a timely manner to reduce the time period in which the loss occurs. Defining an acceptable level of loss enables an organization to determine whether they should implement preventive or detective measures. If your acceptable level of loss is low, which means you have a low tolerance for a loss to a given asset, a preventive measure would be more appropriate to stop the loss. You would have to be willing to spend the extra money on appropriate preventive measures. If your acceptable level of loss is high, this means you have a higher tolerance and would most likely spend less money on a solution and implement detective measures. Now you are allowing the loss to occur, but you are controlling and bounding it. Therefore, performing calculations on an acceptable level of loss plays a critical role in controlling the insider threat.

Control access

The best method for controlling the insider threat is limiting and controlling access. In almost every situation in which an insider compromises, it is usually because someone had more access than he/she needed to do his/her job. There are usually other factors at play, but the number one factor is properly controlling access. For preventing an insider attack, it is better to allocate someone the least amount of access that he/she needs to do his/her job. Encrypt the most critical data. Never store sensitive information about the business on a networked computer; and store confidential data on a standalone computer which has no connection to other computers and the telephone line. Regularly change the password of the confidential files.

Bait: Honeypots and Honeytokens

A honeypot is a system that is put on your network that has no legitimate function. It is set up to look attractive to attackers and lure them in. The key thing about a honeypot is that there is no legitimate use for it, so no one should be accessing it. If someone accesses the honeypot in any way, they are automatically suspicious because the only way they could have found it is if they were wandering around your network looking for something of interest. If they were only doing what they were supposed to, they would have never found the system.

A honeytoken works the same way as a honeypot, but instead of an entire system, it is done at a directory or file level. You put an attractive file on a legitimate server and if anyone accesses it, you just caught them with his/her hand in the cookie jar. This usually has a higher pay off. Insiders are really good at figuring out a certain system or even a certain directory that contains critical IP for the company. If you add an additional file to the system or directory, there is a chance that someone might stumble across it. Once again, since this is not a legitimate file, no one should be accessing it. There is no speculation involved if someone accesses the honeytoken file. They are clearly up to no good since there is no reason anyone should be accessing it. Therefore, by setting them up correctly, honeytokens can enable you to set up a virtual minefield on your critical system. If you are a legitimate user and know the files you are supposed to access, you can easily navigate the minefield and not set off any mines. However, if you are an insider trying to cause harm, there is a good chance that you will be tempted by a honeytoken or misstep.

Mole Detection

With mole detection, you are giving a piece of data to a person, and if that information makes it out to the public domain, you know you have a mole. If you suspect that someone is a mole, you could “coincidentally” talk about something within ear shot of him and if you hear it being repeated somewhere else, you know that person was the mole. Mole detection is not technically



sophisticated but can be useful in trying to figure out who is leaking information to the public or to another entity.

Profiling

An ideal way to control and detect the insider is by understanding their behavioral patterns. There are two general types of profiling that can be performed: individual and group. Individual profiling is related to a specific person and how he/she behaves. Every person is unique, so individual profiling helps the profiler decipher the pattern of normality for a given individual and if it falls outside of that norm, that person is flagged. The advantage of this method is that it closely matches to an individual and is more customized to how a single individual acts. The problem is that it changes with the person, so if the attacker knows that individual profiling is being performed and makes slow, minor adjustments to their behavior, they could slip through the system.

Monitoring

Monitoring is easy to do and provides a starting point for profiling. With monitoring, you are just watching behavior. In watching the behavior, you could inspect the information either manually or automatically but you are looking for a specific signature in the information you are monitoring. In order to profile a given person and flag exceptional behavior, you have to perform monitoring as the base. Therefore, in many cases, it is better to start with monitoring to see how bad the problem is and then move towards profiling if that is deemed necessary at a later point in time. Before an organization performs monitoring, it is critical that they do it in a legal and ethical manner. From a legality standpoint, it is critical that an organization determines whether information has an implied expectation of privacy.

Different types of monitoring can be performed:

• Application-specific

• Problem-specific

• Full monitoring

• Trend analysis

• Probationary

Signature Analysis

Signature analysis is a basic but effective measure for controlling insider threats or any malicious activity. Signature analysis is also called pattern analysis because you are looking for a pattern that is indicative of a problem or issue.

The problem with signatures is that you must know about an attack in order to create a signature for it. The first time an attack occurs, it is successful because you do not have a signature. After it is successful and you perform an incident response and damage assessment, you can figure out how the attack occurred and can build an appropriate signature the next time. However, if the next time the attacker attacks in a different manner, the signature might miss the attack again. This brings up two important points with regards to signatures. First, they will only catch known attacks; they will not catch zero-day attacks. A zero-day attack is a brand new attack that has not been publicized and is not well known. Second, signatures are rigid. If you have a signature for an attack and it occurs exactly the same way each time, you can detect it and flag it. However, if it is morphed or changed, there is a good chance the signature will no longer be effective. The last problem with signatures is that they take a default allow stance on security. A default stance lists what is malicious and anything else that falls through will be flagged as good. By itself, signature detection says if you see a signature that is bad behavior but there is not a signature match, then the behavior must be good.



Key Findings from U.S Secret Service and CERT Coordination Center/SEI study on Insider Threat

Source: http://www.cert.org/

From the U.S Secret Service and CERT Coordination Center/SEI study, the following things are revealed on threats:

A negative work-related event triggered most insiders’ actions

The most frequently reported motive was revenge

The majority of insiders planned their activities in advance

Remote access was used to carry out the majority of attacks

Insiders exploited systematic vulnerabilities in applications, processes, and/or procedures, but relatively sophisticated attack tools were also employed

The majority of insiders compromised computer accounts, created unauthorized backdoor accounts, or user shared accounts in their attacks

The majority of attacks took place outside normal working hours



The majority of the insider attacks were only detected once there was a noticeable irregularity in the information system or a system became unavailable

The majority of attacks were accomplished using the company’s computer equipment

The insiders not only harmed the specific individuals, but also the organizations



Netspionage

Source: http://www.pimall.com/

“Netspionage is defined as network enabled espionage, and in our information systems world, it is an exciting way of …extending the old practice of competitive intelligence gathering. This new, computerized, and information-dependent world is heavily dependent on the web, networks, and software technology. The information gatherers of this new age are exploiting [our] dependency on technology for personal, corporate, and national gain.”

Corporate espionage is an old practice but the advent of the Internet has made it easier, faster, and much more anonymous. Netspionage enables the spies to steal sensitive corporate information without physically entering into the company.



Investigating Corporate Espionage Cases

Check the points of the possible physical intrusion: Before starting an investigation into a corporate espionage case, scan all points of possible physical intrusion carefully. These points may provide clues on how the information might have leaked and can also provide fingerprints if anybody passed through that are helpful in presenting the case before a court of law.

Check the CCTV records: Check all the CCTV records for any unusual activity. This often leads to the real culprit.

Check emails and attachments: Check all official emails and other emails with their attachments used at the workplace. In many cases, the information is passed outside using emails. Thoroughly scan any suspicious mail and try to find out its destination.

Check systems for backdoors and Trojans: Disgruntled employees install backdoors and Trojans in their systems using their privileges as employees before quitting their job. So, scan all the systems and check for backdoors and Trojans. If any backdoor or Trojan is discovered, trace its connecting options.

Check system, firewall, switches, and router’s logs: Logs show each and every event taking place in a network. Examine the logs of all network devices to surmise suspicious activities, such as when and which data passed through the network and which kind of services and protocols were used.

Screen the logs of network and employee monitoring tools if any: If you have installed any kind of employee monitoring tools in your systems, analyze their reports. But before using any such monitoring tools, take care of any legal aspects.

Seek the help of law enforcement agencies if required: Help of law enforcement agencies are necessary to track the culprit and bring him or her to trial.



Employee Monitoring: Activity Monitor

Source: http://www.softactivity.com/

The Activity Monitor allows you to track how, when, and what a network user did in any LAN. The system consists of a server and client parts.

Features:

Views remote desktops

Easy Internet usage monitoring

Monitors software usage

Records activity log for all workplaces on the local or shared network location. Log file includes typed keystrokes, records of switching between the programs with time stamps, application path and window names, visited websites, and more

Tracks any user’s keystrokes on your screen in real-time mode. Passwords, email, chat conversation - you have the full picture

Takes snapshots of the remote PC screen on a scheduled basis. Easy spying without your presence. Time-sorted history of the activity in compressed JPEGs on your computer

Total control over the networked computers. Start or terminate remote processes, run commands, copy files from remote systems. You may even turn the computer off or restart it, not to mention logging off the current user

Deploys Activity Monitor Agent (the client part of the software) remotely from the administrator's PC to all computers in your network

Auto detection of all networked computers with Agent installed

Automatically downloads and exports log files from all computers on a scheduled basis

HTML, Excel, CSV support to export data and reports

o Easy to understand reports in HTML format for viewing in browser

o Exports logs to MS Excel for advanced analysis. Views total picture of what programs users work with

o Exports logs to CSV file for further importing into your custom database



o Combines log files from different computers or users and exports them into a single resulting file

You see it instantly on your screen when users type text on their computers

Monitors multiple employee computers simultaneously from a single workstation in LAN

Workplace surveillance software part, running on the monitored PC, is difficult to find for an employee because it does not show up in the task list (on Win9X) and runs completely invisible

Installs, uninstalls, or stops Agent spy program remotely from the administrator's PC

Easy to install and use. Works on PCs with Windows 98/Me/NT/2000/XP/2003

Figure 40-1: Activity Monitor Screenshot (Source: http://i.d.com.com)



Figure 40-2: Activity Monitor- Admin Connection Screenshot



Spector CNE Employee Monitoring Software

Source: http://www.spector.com/

Spector CNE is the leading employee monitoring software that is designed to provide businesses with a complete and accurate record of all of their employee PC and Internet activity. It significantly prevents, reduces, or eliminates problems associated with Internet and PC abuse. When the user absolutely needs to know exactly what your employees are doing on the Internet, Spector CNE is the tool of choice. It allows you to install, configure, record, and review Internet and PC activity across your network.

Spector CNE gives a complete record of every email sent and received, every chat conversation and instant message, every website visited, every keystroke typed, every application launched, and detailed pictures of PC activity via periodic screen snapshots.

The following are the features of Spector CNE:

It monitors and conducts investigations on employees suspected of inappropriate activity

It monitors and increases employee productivity by reducing frivolous and inappropriate activity

It monitors and eliminates leaking of confidential information

It monitors and recovers lost crucial communications (email, chat & instant messages)

It monitors and assists help desk staff with PC recovery

It meets or exceeds federal, industry, or agency compliance requirements for keeping records of company communications and transactions

It monitors ongoing employee performance and PC proficiency

It obtains proof to support accusations of wrongdoing

It reduces security breaches

It detects the use of organization resources to engage in illegal or unethical activities

It limits legal liability (including sexual and racial harassment)

It enforces PC and Internet acceptable use policies



Track4Win

Source: http://www.track4win.com/

Track4Win monitors all computer activities and the Internet use. It can automatically track the running time of every application on a computer. With powerful network support, it can easily collect the application running time and track Internet use information through the network, log them into the database, and finally analyze them with very useful reports. It is an inexpensive tool to monitor web usage and computer activities in the network. To install track4win into the system, it is necessary to have minimum system requirements, which are as follows:

Track4Win Professional is designed for Windows 95, Windows 98,Windows ME, Windows NT 4.0, Windows 2000 and Windows XP, Windows 2003 Server, Windows Vista (Beta)

Track4Win Enterprise is designed for Windows NT 4.0, Windows 2000, and Windows XP

o 10 MB free disk space

o IBM compatible PC with a Pentium-class microprocessor

o TCP/IP installed

Features of Track4Win are as follows:

Computer user/employee's current status monitoring

Multi-user & real-time monitoring

URL/website address capture and web content tracking

Invisibility in Windows Task Manager.

Free email support

No additional hardware required

Abundant reports, ease of use, small size, fast running speed, and cool interface

The following are the technical features of Track4Win:

Data storage in MS Access database format

MS SQL Server upgradeable



Data stored in Microsoft Access database

Support MS Access, MS SQL, Oracle, ODBC database connections

Icon grasp and transfer

Figure 40-3: Track4Win Analyzer- File Log



Figure 40-4: Track4Win Analyzer- Hour Summary



Spy Tool: SpyBuddy

Source: http://www.exploreanywhere.com/

SpyBuddy is a powerful spy software and computer monitoring product for monitoring spouses, children, co-workers, or just about anyone else. It enables you to monitor all areas of your PC, tracking every action down to the last keystroke pressed or the last file deleted. SpyBuddy is equipped with the functionality to record all AOL/ICQ/MSN/AIM/Yahoo chat conversations, all websites visited, all windows opened and interacted with, every application executed, every document printed, every file or folder renamed and/or modified, all text and images sent to the clipboard, every keystroke pressed, every password typed, and more.

Features:

Internet Conversation Logging: Logs both sides of all chat and instant message conversations for AOL/ICQ/MSN/AIM/Yahoo Instant Messengers.

Disk Activity Logging: Records all changes made to your hard drive and external media.

Window Activity Logging: Captures information on every window that was viewed and interacted with.

Application Activity Logging: Tracks every application/executable that was executed and interacted with.

Clipboard Activity Logging: Captures every text and image item that was copied to the clipboard.

AOL/Internet Explorer History: Views All AOL and Internet Explorer websites visited before SpyBuddy was installed, and when SpyBuddy was not recording.

Printed Documents Logging: Logs specific information on all documents that were sent to the printer spool.

Keystroke Monitoring: Tracks all keystrokes pressed [including hidden system keys] and which windows they were pressed in. Keystrokes can also be passed through a formatter for easy viewing/exporting.

Websites Activity Logging: Logs all website title and addresses that were visited on the PC.

Screen Shot Capturing: Automatically captures screen shots of the desktop (or the active window) at set intervals.

Powerful Stealth Mode: Runs SpyBuddy in total stealth - the user will not know that it is running.



Website Filtering: Creates website and protocol ban-lists to prevent websites from being viewed while SpyBuddy is active.

Website Watching: Manages a list of websites for SpyBuddy to monitor, and if a specified keyword/phrase is found, it will record it.

Log File Back Dating: Discretely backdates all log files to prevent file snoopers from detecting newly created log files.

Windows Startup: Configures SpyBuddy to start up for a single user, or to start up as a service for all users on the system - perfect for monitoring multiple users of a PC.

User-Based Startup: Configures SpyBuddy to only record specific users of a PC, rather than recording all the users.

Customizable HotKey: For total concealment, SpyBuddy allows you to customize the default hotkey.

Automatic Active Startup: Configures SpyBuddy to start in "Active" mode when it is started.

Password Protection: SpyBuddy is password protected to prevent others from starting/stopping the monitoring process, as well as changing SpyBuddy configuration settings.

Startup Alert: Automatically have SpyBuddy display a custom alert message when it is started - perfect for letting the users of the PC know that they are being monitored.

Email Log Delivery: SpyBuddy can periodically send you recorded activity logs as a specified format (HTML/Excel/Text/CSV/XML) as well as desktop screenshots to your email inbox at specified intervals.

Log Exporting: Export SpyBuddy Activity logs to 5 different formats, such as Microsoft Excel, HTML, CSV, Plain Text, and XML.

Precise User Tracking: SpyBuddy will ALWAYS log the current Windows user and the time and date an action if performed. This will allow you to precisely track activity down to the exact user, at the exact time it happened.

Inactivity Timeout: Automatically suspends SpyBuddy from monitoring the PC if the machine is inactive for a specified amount of time.

Scheduling Agent: Automatically configures SpyBuddy to start or stop at specified times and dates, or configures it to perform the same time everyday of the week.

Automatic Log Clearing: SpyBuddy can automatically eradicate old/outdated logs from the machine after a certain amount of data or keystrokes have been logged.

Thread Priority: Adjusts SpyBuddy to adapt to your system. Using the built-in Thread Priority utility, you can make SpyBuddy run as fast as you need it depending on your systems specifications.



Figure 40-5: SpyBuddy Screenshot (Source: http://www.buy-spybuddy.com)



Tool: NetVizor

Source: http://www.netvizor.net/

NetVizor is the employee monitoring software for corporate networks, which is the latest in award-winning network monitoring software. It is easy to monitor your entire network from one centralized location with the help of NetVizor. It allows the user to track workstations and individual users that may use multiple systems on a network. It allows the user to perform essential user activity monitoring, content filtering, remote administration, and more - from one central location.

The features of NetVizor are as follows:

It logs keystrokes typed, website visits, searches, application usage, files, and documents used

It logs Internet connections made, chat conversations, windows opened, email activities, all Internet traffic data, uploads, and downloads

It offers detailed user activity reports and network activity reports

It offers real-time visual remote monitoring, and web-based remote control

It disables spyware detectors



Figure 40-6: NetVizor screenshot



Tool: Privatefirewall w/Pest Patrol

Source: http://www.privacyware.com/

Privatefirewall is a personal firewall and intrusion detection application that eliminates unauthorized access to the PC. Its intuitive interface allows users to adjust default settings to create custom configurations.

Features:

Packet Filtering

Port Scanning

IP/Website Protection

Email Anomaly Detection

Advanced Application Protection

Figure 40-7: Private firewall with anti-spyware (Source: http://www.softpicks.net)



Internet Spy Filter

Source: http://www.tooto.com/spyhunter/

Internet Spyware Filter blocks spyware, web bugs, worms, cookies, ads, scripts, and other intrusive devices to protect from being profiled and tracked. When the user is online, the attacker may be monitoring or tracking without the user’s knowledge or explicit permission. Hackers, advertisers, and corporations may use web bugs, spyware, cookies, worms, ads, and scripts to gain access to the user’s information and invade the privacy.

Internet Spy Filter is designed to provide advanced protection from known data-mining, aggressive advertising, parasites, scum ware, selected traditional Trojans, dialers, malware, browser hijackers, and tracking components. It functions like a firewall and protects online privacy and security. It acts as a spyware remover, personal firewall, and virus stopper.

Figure 40-8: Internet Spyware Filter screenshot



Spybot S&D

Source: http://www.safer-networking.org/

Spybot - Search & Destroy detects and removes spyware. Spyware silently tracks your surfing behavior to create a marketing profile for you that is transmitted without your knowledge to compilers and sold to advertising companies. It can also clean usage tracks; an interesting function if you share your computer with other users and do not want them to see what you have been working on. It allows you to fix some registry inconsistencies and extended reports.

Figure 40-9: Spybot - Search & Destroy screenshot (Source: http://www.globalfreeware.com)



Anti Spy Tool: SpyCop

Source: http://www.spycop.com/

SpyCop finds spy programs such as Spector designed specifically to record your screen, email, passwords, and much more. It detects and disables all known commercially available PC surveillance spy software products that are currently available to everyone.

Features:

Stop Password Theft: It detects spy software that is placed on your computer to capture your passwords

Keeps Your Emails Private: It alerts you if your emails are being snooped by spy software

Kills Instant Message & Chat Spy Software: It keeps your online chats and instant messages safe from prying eyes

Stops Surfing Monitors: SpyCop can prevent spy software from capturing and recording what websites you are visiting

Stops Keystroke Loggers: SpyCop protects you from spy software that can capture and record each keystroke

Prevents Online Credit Card Theft: SpyCop can keep your credit card information safe if you shop online



Figure 40-10: SpyCop screenshot



Spyware Terminator

Source: http://www.spywareterminator.com

Spyware Terminator is an adware and spyware scanner. It can remove spyware, adware, Trojans, keyloggers, home page hijackers, and other malware threats.

Features:

Removes Spyware- Spyware terminator scans the computer for known threats and reports findings in a manner that is easy to read and interpret

Scheduled Scans- It gives users the ability to schedule spyware scans on a regular basis to ensure the computer’s integrity

Antivirus Integration- It includes a popular award-winning open-source antivirus software, Clam AntiVirus (ClamAV), for optional integration to achieve a higher level of security



Figure 40-11: Spyware Terminator Scan Progress

XoftSpySE

Source: http://www.xoftspy.co.uk/

XoftSpySE is a spyware detection, scanning and removal tool, protecting you from unwanted spyware.

Features:

XoftSpySE scans complete PC including memory & registry

It removes all spyware parasites, unwanted toolbars, and browser hijacks

It prevents identity and credit card theft

It increases your computer's speed

It is a user-friendly interface



Figure 40-12: XoftSpySE Screenshot(Source: http://www.grumpyphil.com)



Spy Sweeper

Source: http://www.spychecker.com/

Spy Sweeper safely detects and removes more traces of spyware including Trojans, adware, keyloggers, and system monitoring tools.

The features of spy sweeper are as follows:

Offers real time protection: Spy Sweeper smart shields block sophisticated spyware threats in real-time, before they can infect your system. This new version of spy sweeper advances the industry-standard in spyware blocking, stopping threats like Trojan-Downloader-LowZones and SpySheriff from ever installing in the first place. With spy sweeper, it is easy to keep your system spyware-free.

Advanced Detection and Removal: Its advanced detection and removal capabilities are effective at fully removing spyware that is notorious for being difficult to eliminate. Even the most malicious spyware programs are removed in a single sweep. You won't have to scan and restart your PC a number of times with Spy Sweeper - one sweep and your PC is clean.

Accurate Risk Assessment: It uses a risk assessment test when detecting spyware programs to let you know how dangerous different spyware programs are - some may pose an immediate danger to your personal information while others are simply annoying. Spy Sweeper gives you a quick overview of each threat, what it does, and its potential danger.

It has the ability to run spyware scans automatically, prevent new malware from being installed, prevents unauthorized system changes to your browser settings, startup programs, host files, and so on.



Figure 40-13: SpySweeper screenshot



Counter Spy

Source: http://www.sunbeltsoftware.com/

Counter Spy detects and removes adware and spyware from the system. It is a powerful spyware and malware remover but treads lightly on system resources.

Features of counter spy are as follows:

System Scans: The scanning engine checks your entire computer by using in-depth scans of your computer's hard drives, memory, process, registry, and cookies. It uses a continually updated database of thousands of known spyware signatures to provide you with ongoing and accurate protection. You can scan for spyware manually or schedule times for Counter Spy to scan your computer.

First Scan: FirstScan is Counter Spy's new scan and remove on-boot technology designed specifically to detect and remove the most deeply embedded malware. Counter Spy V2 is able to scan the disk and clean malware prior to Windows startup, so that hard-to-kill malware and rootkits can be exterminated. Triggered through a Counter Spy system scan, FirstScan will run at the system's boot time, bypassing the Windows operating system, to directly scan certain locations of the hard drive for malware, removing infections where found.

Hybrid Engine: Counter Spy is powered by a revolutionary hybrid engine that merges spyware detection and remediation with Sunbelt's all-new VIPRE technology, a new anti-malware technology created by Sunbelt which incorporates both traditional antivirus and cutting-edge anti-malware techniques in order to combat today's increasingly complex, blended malware threats.

Kernel-level Active Protection: The "kernel" is the heart of Windows. Counter Spy's Active Protection now works inside the Windows kernel (the core of the operating system), watching for malware and stopping it before it has a chance to execute on a user's system. As in the previous version of Counter Spy, Active Protection will also alert users for potentially harmful changes to their system, based on behavioral characteristics.

System Tools: My PC Explorers let you explore and manage key elements of your system that are normally hidden and difficult to change. My PC Checkup helps secure your computer by updating your computer settings to recommended security levels. The History Cleaner is a privacy tool that removes all Internet history usage logs and 75 different activities. The Secure File Eraser is a powerful deletion tool that completely erases any files you want removed from your computer.

ThreatNet: ThreatNet provides ongoing security risk information, which is used to update the Counter Spy spyware database. ThreatNet is a revolutionary network community that connects diverse Counter Spy users to share and identify new applications and signatures. This information helps block new spyware.



Figure 40-14: Counter Spy screenshot



SUPERAntiSpyware Professional

Source: http://www.superantispyware.com/

SUPERAntiSpyware Professional scans and protects your computer for known spyware, adware, malware, Trojans, dialers, worms, keyloggers, hijackers, and many other types of threats. It is one of the most thorough anti-spyware scanners that are available. This multi-dimensional scanning and process interrogation technology will detect spyware and will remove all the spyware that other products tend to miss.

Features of SUPERAntiSpyware Professional are as follows:

It offers Quick, Complete and Custom Scanning of hard drives, removable drives, memory, registry, individual folders, and so on

It includes trusting items and excluding folders for complete customization of scanning

It detects and removes spyware, adware, malware, Trojans, dialers, worms, keyloggers, hijackers, and many other types of threats

It repairs broken Internet connections, desktops, registry editing, and more with our unique repair system

It offers Real-Time Blocking of threats to prevent potentially harmful software from installing or re-installing

The feature of Multi-Dimensional Scanning detects existing threats as well as threats of the future by analyzing threat characteristics in addition to code patterns

It schedules either quick, complete, or custom scans daily or weekly to ensure your computer is free from harmful software

System requirements:

The following are the requirements for installing SUPERAntiSpyware professional:

Windows 98, 98SE, ME, 2000, XP, Vista, or Windows 2003

300 Mhz CPU or above

128 MB Memory (minimum)



Figure 40-15: SUPERAntiSpyware screenshot

Figure 40-16: SUPERAntiSpyware- Detect and Remove Harmful Software



IMonitorPCPro – Employee Monitoring Software

Source: http://www.imonitorpc.com/

IMonitorPCPro monitors computer activities and Internet use by employees. It helps in discovering employee productivity and documents it. It is easy to use and configure, intuitive, and password protected. It runs invisibly and records the user’s activity, such as:

Programs used

Websites visited

Whole history of chat room activity (with advanced find)

Social network usage

Screen captures

Detailed activity reports

Summary reports

IMonitorPCPro also includes:

Website blocking

Program usage limits

Chat user blocking

User alerts

Advanced filtering



Figure 40-17: IMonitorPCPro screenshot



Case Study: HP Chief Accused of Corporate Spying

HP chief accused of corporate spying

Source: http://www.thepeninsulaqatar.com/

Hewlett-Packard chairwoman Patricia Dunn clung to her job as she was blamed with accusations that she ordered a probe in which board members and reporters are illicitly spied. California Attorney General Bill Lockyer vowed to prosecute wrongdoers at the end of his investigation for any private detectives hired by HP impersonated board members and journalists to get private telephone records.

Lockyer’s office started investigation after getting word that telephone records of board members are obtained by a ruse known as pretexting. No law in California has books about pretexting.

“We are fully cooperating with the attorney general’s office and providing any material they request from us,” Wischhusen said. Dunn followed the former chief executive officer Carly Fiorina to find how information from supposedly confidential board meeting was channeled to the press.

The probe initiated by Dunn found that the board member George Keyworth leaked the information. The trick is used to get personal telephone records of nine journalists. The US Society of Professional Journalists (SPJ) said that pretexting is a violation of press rights and suggested that HP should stand for Hackers of Privacy.



Case Study: India’s Growing Corporate Spy Threat

Source: http://www.atimes.com/

According to a survey, Indian corporate sector faces the highest threat of fraud, including espionage. Many cases are recently brought to the surface Indian corporate world; targets are mostly MNC’s. Culprits are foreign companies and smaller local competitor firms. KPMG global consultancy said that "Organizations today face a completely different set of challenges - globalization, rapidly evolving technology, rapid development in industry and business, risks and complexity of information and data management; the list is endless."

Spying and the extraction of sensitive information using unfair means are new in India but such activities are limited to government departments, defense establishments, and a few stray instances involving the business world. "What has changed in recent years," said Ashwin Parikh of Ernst & Young, "is the involvement of the corporate sector, and the methods used. This practice of using students [for instance] to pick up competitors' information has become rather rampant now."



Guidelines while Writing Employee Monitoring Policies

Source: http://www.employeemonitoring.net/

Due to security reasons, organizations monitor employees, and management should maintain policies regarding monitoring employees. Guidelines while writing employee-monitoring policies are as follows:

It is essential to make employees aware of what exactly is being monitored. Employee monitoring policies should be written to cover all the aspects of monitoring activities. It must be clear that monitoring occurs only if the organization suspects a problem.

Employee should be briefed regarding the organization’s policies and procedures. When hired, employee should learn the rules and regulations, and policies and procedures of the organization.

Employees should be made aware of policy violations, and the policies should provide detailed information of punishment if an employee violates the rules and regulations of the organization.

The policy should be specific and should relate to every employee in the organization. Irrespective of the post of the personnel, action should be taken against employees if they violate the rules.

Specific and technical terms that help the employee understand the policy clearly should be highlighted by differentiating those terms by making them bold, underlined, or italicized.

It is necessary to have provisions for updating policies.

Policies should relate to the local laws of the land as there can be a chance of an employee violating the rules, and thus the organization can bring this act of violation in front a court of justice.



Summary

The term “Corporate espionage” is used to describe espionage conducted for commercial purposes on companies and governments, and to determine the activities of the competitors.

Personal relations, disgruntled employees, and easy money are the main motives behind corporate spying

The major techniques used for corporate spying are hacking, social engineering, dumpster diving, and phone eavesdropping

Steps to prevent corporate espionage are understanding and prioritizing critical assets, defining acceptable level of loss, control access, baits, mole detection, profiling, monitoring, and signature analysis

Netspionage is defined as a network-enabled espionage in which knowledge and sensitive proprietary information are generated, processed, stored, transmitted, and obtained via networks and computer systems.



Exercise:

1. What are the reasons behind corporate espionage?

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

_______________________________________________________________

2. What type of information do corporate spies look for?

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

_______________________________________________________________

3. What are the different techniques of spying?

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

_______________________________________________________________

4. Is there any technique to secure confidential data of a company from spies?

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

_______________________________________________________________

5. What are the steps to prevent corporate espionage?

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

_______________________________________________________________

6. How can you investigate corporate espionage cases?

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

_______________________________________________________________

7. What are the key findings from the U.S. Secret Service and CERT Coordination Center/ SEI Study

on Insider Threat?



___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

_______________________________________________________________

8. What is Netspionage?

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

_______________________________________________________________

9. List the Anti Spy tools.

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

_______________________________________________________________

10. Briefly explain the guidelines for writing employee monitoring policies.

___________________________________________________________________

___________________________________________________________________

___________________________________________________________________

_______________________________________________________________



Hands On

1. Go to site http://www.usdoj.gov/criminal/cybercrime/18usc1831.htm and read § 1831. Economic Espionage.

2. Run the tool SpyBuddy and see the result.

3. Download the tool Nitrous Anti Spy from http://www.nitrousonline.com/antispydesc.shtml and used for spyware protection on your personal computer.

4. Download tool Activity Monitor from http://www.softactivity.com/ run and see the result.

File000095

Technology

trade secret

law enforcement

term corporate

store confidential

store sensitive

employee monitoring

prevent corporate

spy sweeper